I have two Windows 2008 forests in Win2003 mode and I need to set up a one way trust between them. The validation button in Domains And Trusts works in one forest but not in the other.

I think this is because not all DCs can see all the other DCs. I'm not sure if I need to set up the hosts file, so I did so with company.com in the respective domain along with the relevant DC. (do I need _msdcs _tcp zones etc)

How do I set up a one way trust when some DCs are firewalled off from each other?

4 Answers
4

You should only need DNS resolution for the AD domain name itself, not for specific zones or RR's in the zones. You need to isolate the problem to either a name resolution problem (DNS) or to a communication problem (firewall).

Rather than using host files, the recommended configuration is to set up conditional forwarders for each domain in the opposing domain's DNS servers (DNS serverA in domainA has a conditional forwarder to DNS serverB for domainB).

From each domain run nslookup and query for the other domain (domain.tld). Nslookup should return the IPv4 and IPv6 ip addresses for the DNS servers for that domain (which are probably also the DC's for that domain, unless you've split the DNS role off of the DC's). If nslookup works then DNS resolution is OK and you should look at the firewall as the likely culprit.

Thanks do all DC's need to be able to communicate with all others? Just the ones holding a FSMO?
–
makerofthings7Mar 29 '12 at 4:33

2

All of the DCs should be able to communicate with each other. FSMO roles don't come into play here.
–
MDMarraMar 29 '12 at 18:58

That may be the issue, some DC's are on subnets that can't route to the others. This thing happens when we quickly acquire new companies and add them onboard. Conflicting subnets get isolated until we can Re-IP
–
makerofthings7Mar 29 '12 at 22:27

Then it sounds like you need to set up a site-to-site VPN and split-tunnel your traffic in these instances.
–
MDMarraMar 29 '12 at 22:42

Do you think Direct Access could be of benefit?\
–
makerofthings7Mar 29 '12 at 23:20

Your firewall will need to allow LDAP and DNS traffic between domain controllers in each forest. You will need at least 1, but 2 would be best for redundancy. You do not need to create a firewall rule for every domain controller.

You will also want to set up conditional forwarders in each domain. On a DC/DNS Server in Forest A, create a conditional forwarder for Forest B pointing to 1 or 2 DNS servers in forest B. Then, in Forest B, create a conditional forwarder for Forest A that points to 1 or 2 DNS servers in Forest A.

SturdyErde YOU ARE THE MAN!! Conditional forwarding on my DNS servers solved my 2 month long battle with a trust relationship between 2 domains on different subnets between 2 routers. I had been thinking it was a routing issue up until i saw this post tonight in which you explained to use Conditional Forwarding rules on the DNS servers instead of the "Secondary DNS Zone" solution which I've been using. For some reason the secondary zone solution works for me when domains are links site to site via IPsec, but when trusting two domains that are in same building but are on different subnets, cond
–
user130789Aug 3 '12 at 0:03

Glad I could return a favor to another Stack Exchange user. :)
–
SturdyErdeAug 18 '12 at 13:58

We use IPSEC connections between our DCs when they have DMZ-like network zones between them. We do this purely to make the rule-base for our comms team smaller and easier to manage - one port versues many.

The benefit of IPsec, is that this allows all traffic destined for each other (regardless of source port & type) to get wrapped up.